Production Workload Identity with SPIRE


Authors:   Ryan Turner


Spiffy is a secure production identity framework that provides a new model for identifying workloads to enable strong authentication in service-to-service communication.
  • Spiffy is an open-source set of specifications that defines what is a workload identity and how to represent it
  • Spiffy allows identifying workloads in a microservices container-based world without relying on network-level constructs like IP address or DNS name
  • Spiffy describes a workload identity through a Spiffy ID, which is an identifier string represented as a URI
  • Spiffy enables federation to allow workloads running in different trust domains to talk to each other and trust each other
  • Spiffy is working on improving attestation of supply chain provenance, enabling secretless authentication to GCP using OpenID Connect Federation, and improving key revocation and forced rotation within Spire
  • Spiffy is also working on enabling secretless authentication to Azure using OIDC Federation and improving the health check subsystem and error messages
In the previous architecture, each instance of a service ran in its own virtual machine in AWS, which was not the most efficient way to run services. The organization wanted to adopt containers and run their services as containers to have a more general compute pool of resources and streamline their deployment. However, the current service-to-service authorization policies were all network-level apples, which did not scale as microservices deployment got more complex. Additionally, the perimeter-based security model was not sufficient to protect unauthorized access to services in the network. Spiffy provides a new model for identifying workloads to enable strong authentication in service-to-service communication, which addresses these security challenges.


Have you ever wondered how to effectively enable secure authentication between workloads and operationalize TLS within your production network at scale? SPIRE, a CNCF Incubating project, addresses these concerns by providing short-lived, automatically rotated identities to workloads based on the SPIFFE specification. This session will introduce the core design of SPIRE and how it can be leveraged in cloud-native architectures to provide defense-in-depth to production environments. To conclude, this session will take a look at some upcoming features that further extend the possibilities of SPIRE as a production identity platform.


Post a comment